Special Command: Analyzing and Reconstructing the Stack Using the k* Command and Its Variations

I’m starting a new series of articles focused on explaining special commands and showing how they can be used.You can read about WinDbg commands using the WinDbg documentation; however, sometimes you want to see the output of a specific command or you want to know when to use a specific command variation. Therefore, with these blog articles about special commands, you’ll have additional documentation that should help you during your debugging session. I will not explain all thecommand variations; only those that I think are important and useful.

So, first, let’s see some important k* variations and when to use them.

kL 1000

kL gives you the stack without any additional information. I use kL whenever I need to send a call stack to my customers and, at the same time, avoid confidential information like parameters or source code line numbers.

Tip: I always use 1000 to force the command to display the entire call stack. So 1000 is sufficient 99% of the time. Another approach is to use .kframes.

Example:

kpn 1000

I like to use the n variation when using kb, kP or kp because it shows you the frame number.

This variation shows you all theparameters for each method/function.

Tip: It’s useful when you have private symbols. Private symbols give you information like parameters and source code line numbers. If you have only public symbols, you may want to use kbn, explained below.

Example:

kbn 1000

This variation shows you the first three parameters passed to each function/method in the stack trace.

Tip: Using it when you have public symbol should help you to figure out the first three parameters.

Example:

kvn 1000

If your stack is using Frame Point Optimization, you may want to use kvn to see the number of parameters.

When using this variation you’ll see onlyone parameter for each line and not side by side like kpn.

Tip: Use it when you have stack frames with many parameters. It should be easier to read them.

Example:

kf 1000

Displays the distance between adjacent frames. This distance is the number of bytes that separate the frames on the actual stack.

Example:

kpM

This command uses DML (Debugger Markup Language) to display the call stack. Besides that, it gives you hyperlinks for each frame. When you click on a specific hyperlink, it shows you the local variables for this particular frame. This is cool! J